Closed Bug 1474067 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 11838 - Un-deprecated 'child-src'


(Core :: DOM: Security, enhancement, P4)




Tracking Status
firefox63 --- fixed


(Reporter:, Unassigned)




(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 11838 into mozilla-central (this bug is closed when the sync is complete).

Details from upstream follow.

Andy Paicu <> wrote:
>  Un-deprecated 'child-src'
>  'child-src' is now part of the fallback chain for 'worker-src'.
>  This means that if 'child-src' always takes precedence over 'script-src'
>  when checking worker requests.
>  Added extra tests to ensure that a worker request blocked by
>  'child-src' and allowed by 'script-src' is blocked.
>  Removed previous logic that considered 'script-src' to be the
>  fallback for 'worker-src' and amended tests. Removed "temporary"
>  logic put in place to not brake "child-src" using sites.
>  Refactored the OperativeDirective logic to ensure that the caller
>  does not need to be aware of precise fallback chain of the directive,
>  otherwise the way to get the 'worker-src' operative directive would be:
>  OperativeDirective(worker_src_.Get(),
>        OperativeDirective(child_src_.Get(),
>            OperativeDirective(script_src_.Get())));
>  To be submitted with the spec PR as it includes tests.
>  Spec:
>  Bug: 669496
>  Change-Id: I7ca9552df1d0ce203a604b0e469a268f6b112e49
>  Reviewed-on:
>  WPT-Export-Revision: e0cb359cb9cf659e6ea04915c0afcb5a11b9c866
Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Ran 15 tests and 15 subtests
OK     : 15
PASS   : 12
FAIL   : 3

New tests that have failures or other problems:
    Same-origin dedicated worker allowed by worker-src 'self'.: FAIL
    Same-origin service worker allowed by child-src 'self'.: FAIL
    Same-origin shared worker allowed by child-src 'self'.: FAIL
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Pushed by
[wpt PR 11838] - Un-deprecated 'child-src', a=testonly
[wpt PR 11838] - Update wpt metadata, a=testonly
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.